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Presentation Agenda _ 

• CPS2: Capcom Play System 2 

• What is it?, history, security overview... 

• Super Street Fighter 2X 

• Debugging, patching... 

• CPS2 and Radare2 <3 

• CPS2 crypto support, demos... 



























CPS2: Specs 


• Primary CPU: Motorola 68000 @16 MHz 


• Sound CPU: Z80 @ 8 MHz 


Display: 384x224 @ 59.6294 Hz 



CPS2: History 


• CPS-1 games were easy to copy & bootlegs (unauthorised 
game copies) appeared 

• (02/1991) Street Fighter II: The World Warrior 

• (03/1992) Street Fighter II’: Champion Edition 

• (12/1992) Street Fighter IT Turbo: Hyper Fighting 

• CPS-2 == CPS-1 with a faster processor and encrypted 
game ROMs 

• (09/1993) Super Street Fighter II: The New Challengers 

• (02/1994) Super Street Fighter II Turbo 

• (12/2003) Hyper Street Fighter II: The Anniversary Edition 




CPS2: Suicide Battery (1) 


• The CPS-2 ‘B’ boards 
hold a battery-backed 
memory (SRAM) 
containing decryption 
keys needed for the 
games to run 


• When the battery dies, 
the game will no longer 
work --> blue screen 



3.6V Lithium battery 
Size: 1/2 AA 
(Elfa part #69-282-12) 


















CPS2: Suicide Battery (2) 




CPS2: Encryption (1) 


• In January 2001, the CPS-2 Shock group (Razoola 
and CrashTest) with Charles MacDonald, obtained 
unencrypted program data by hacking into the 
hardware 


• They distributed XOR difference tables (8GiB) to 
produce unencrypted data from the original ROM 
images --> Emulation possible 




CPS2: Encryption (2) 


• In January 2007, the encryption was fully reverse- 
engineered by Andreas Naive and Nicola Salmoria 
(Marne author). 


• The encryption only affects opcodes, not data. 


• The encryption consists of two 4-round Feistel 
networks with a 64-bit key and involves both the 16-bit 
opcode and the low 16 bits of the address. 


The algorithm was implemented for all CPS-2 games 
in MAME. 




CPS2: Memory Map 

0x000000 - 0x3FFFFF 
0x400000 - 0x40000A 
0x618000 - 0x619FFF 
0x660000 - 0x663FFF 
0x900000 - 


Main Program 

Encryption (the battery memory) ) 

Shared RAM for the Z80 (tells what sfx or music to play) 
Network Memory 

Start of Graphic memory (can change with each game) 


Super Turbo: 

0x900000 - 0x903FFF Palette 
0x904000 - 0x907FFF 16x16 
0x908000 - 0x90BFFF 32x32 
0x90C000 - 0x90FFFF 8x8 


0x910000 - 0x913FFF 16x16 mainly hud and character names on select screen 


OxFFOOOO 


OxFFFFFF 


Main Memory 





CPS2: Revive Dead B-Boards (1) 


• Decrypt all encrypted data so that you end up with a fully 
decrypted ROM image. 


• Patch all read and writes to the 0x400000-0x40000A 
memory region to OxFFFFFO-OxFFFFFA (bottom of the 
normal WORK RAM) 


• Patch all routines not to clear this region during any 
memory clearing activities 


Patch any part of the game code that uses this region of 
WORK RAM to use a different region. 



CPS2: Revive Dead B-Boards (2) 


• Reprogram the EPROMs with the decrypted ROM 
images 

• Desolder/Remove the Battery (bottom right corner of 
the board) 

• Short the 2 leads of the electrolytic capacitor next to 
where the + terminal was together for several seconds. 


Boot up the game, cross fingers :) 



CPS2: Revive Dead B-Boards (3) 


• Phoenix Edition "Decrypted" ROMs 

• Created by Razoola 

• Include some patches like region change & jukebox 


• Avalaunch "Decrypted" ROMs 

• Created by Team Avalaunch (L_Oliveira, MottZilla 
and idc) 

• No extra features 



CPS2: Revive Dead B-Boards 


• In April 2016, Artemio Urbina, Ian Court and Eduardo 
Cruz successfully reverse engineered the Capcom's 
CPS2 security programming, making possible a clean 
desuicide and restoration of any dead games without 
hardware modifications. 




CPS2: Security Timeline 




2016 


• CPS2 Released 

• XOR Diff Tables (+8 years) 

• Encryption keys obtained (+14 years) 

• Security programming RE (+23 years) 



Super Street Fighter 2X 

























SSF2X: Debugging 


• mame -debug ssf2xj 

• Ctrl+M (Cmd+D on Mac) to open memory window 

• Adress 0xFF844E 

• Offset for P2 base is 0x400 




cycles 740 
beamx 10 
beany 126 
frane 12108 
flags ..S... 


PC 

000A20 

SP 

FFFFFFF6 

ISP 

FFFFFFF6 

USP 

00FF058C 

ISP 

FFFFFFF6 

D0 

00000001 

D1 

00000004 

D2 

00000030 

03 

0000FFFF 

D4 

00000000 

05 

00000000 

D6 

00000198 

D7 

00000000 

A0 

FFFF00C0 

A1 

00FF05BC 

A2 

0002F5D0 

A3 

00102234 

A4 

FFFF9362 

A5 

FFFF8000 

A6 

FFFFE1CA 

A7 

FFFFFFF6 

PREF ADDR 

000A20 

PREF DATA 

00006000 


Memory: M68000 ':maincpu' program space memory 


v- FF844E 


FF844E 

0101 

020A 

0200 

024F 

8000 

0028 

0000 

0000 

FF845E 

0003 

0100 

0001 

0000 

0004 

0016 

0BEE 

0000 

FF846E 

0000 

0000 

0000 

0000 

0000 

0082 

0082 

0000 

FF847E 

0007 

B9B2 

0019 

C76E 

0024 

E334 

0000 

0000 

FF848E 

0000 

0000 

0000 

0000 

0000 

000C 

0100 

0000 

F-849E 

0000 

0000 

000C 

0003 

0010 

0000 

0000 

0000 

FF84AE 

0000 

0000 

0000 

0000 

0000 

0000 

001B 

0035 

FF84BE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

F-84CE 

0246 

0000 

0000 

0000 

023C 

0000 

0000 

0000 

F-84DE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84EE 

0100 

0040 

0010 

0000 

0000 

0000 

0000 

0000 

FF84FE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF850E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF851E 

0000 

0000 

0246 

0246 

0000 

0000 

0002 

3E00 

FF852E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF853E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF854E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF855E 

0000 

0000 

0000 

0000 

0000 

0007 

9269 

0007 

FF856E 

9246 

0000 

0000 

0000 

0000 

0000 

0100 

0000 

FF857E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF858E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF859E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF85AE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0100 


M68000 ':naincpu' program space memory 

. 0 . 


.n.S.4. 


.F.F.>. 


Debug: ssf2xj - M68000 ':maincpu' 


000A14 

move.1 

Al, (S8,A0) 

2149 

0008 

000A18 

move.w 

(A7)+, (S2,A0> 

315F 

0002 

000A1C 

move.1 

(A7)+, ($4,A0) 

215F 

0004 

000A20 

bra 

S290 

6000 

F86E 

000A24 

movem.1 

D0-D7/A0-A6, —(A7) 

48E7 

FFFE 

000A28 

trap 

#$5 

4E45 


000A2A 

movem.1 

(A7)+, D0-D7/A0-A6 

4CDF 

7FFF 

0 00A2E 

rts 


4E75 


000A30 

lea 

(-S8000,A5), A4 

49ED 

8000 

000A34 

move.b 

#$2, (A4,D0.w) 

19BC 

0002 0000 

000A3A 

clr. b 

($1,A4,D0.w) 

4234 

0001 

000A3E 

rte 


4E73 


000A40 

movem.1 

D0-D7/A0-A6, —(A7) 

48E7 

FFFE 

000A44 

trap 

#$6 

4E46 


000A46 

movem.1 

(A7)+, 00-07/A0-A6 

4CDF 

7FFF 

000A4A 

rts 


4E75 


000A4C 

lea 

(-S8000,A5), A4 

49ED 

8000 

000A50 

move.b 

#$4, (A4,D0.w) 

19BC 

0004 0000 

000A56 

move.b 

Dl, (SI,A4,D0.w) 

1981 

0001 

000A5A 

rte 


4E73 



MAME debugger version 0.162 (May 28 2015) 

Currently targeting ssf2xj (Super Street Fighter II X: Grand Master Challenge (Japan 940223))| 
>go 
>go 

>bpset ld56 
Breakpoint 1 set 
>go 

Stopped at breakpoint 1 
>go 

Stopped at breakpoint 1 
>bpclear 1 
Breakpoint 1 cleared 
>go 
>go 













































































































SSF2X: Lua Scripting (1) 


• mame-rr-lua 

• memory.readbyte(), memory.readword(), 

• memory.writebyte(), memory.writeword() 

• gui.text(), emu.frameadvance() 




SSF2X: Lua Scripting (2) 


local function draw_messages() 

if memory.readword( ) == then --If not In match 

gut.text( , , ) 

return 

end 

if not player_names then 
gui.text( , , ) 

return 

end 

local pl_lnfo = memory.readbyte( + ) 

local p2_lnfo = memory.readbyte( + + 

gul.text( , ,pl_tnfo) 
gui.text( , ,p2_lnfo) 

if (pl_lnfo== or pl_lnfo== or pl_info== 

gul.text( , , ) 

end 

if (pl_lnfo== ) then 

gut.text( , , ) 

end 

If (p2_info== or p2_lnfo 

gul.text( , , 

end 

If (p2_info== ) then 

gul.text( , , 

end 

-- 0C = Can only be blocked high (Aerial move/overhead) 

-- 26 = Can only be blocked high. Full KD 

- - 28 = Can only be blocked low, Forces Standing Flerce/Rh hltstun/pushback, Full KD against aerial opponents only 

-- 4a = Juggle able [3-htt limit]. Can only be blocked high (Ryu/Dlc's j.strong) 

return 

end 


or p2_tnfo== or p2_lnfo== ) then 
) 

) 


) 


or pl_tnfo== ) then 





SSF2X: Cheats 


• RAM cheats usually change the data the game has in RAM 
(ie: change the value in a fixed memory address) 


• ROM cheats patch the game’s program code to force the 
game engine take a different path 





SSF2X: MAME Debugger Demo (1) 


MAME: Super Street Fighter II X: Grand Master Challenge (Japan 940223) [ssf2xj] 


-jOOUU 


h***'*] 






Mtsd 


yi 


Memory: M68000 ' 


v FF844E 


naincpu program space memor 

'rmaincpu 


M68000 


FF844E 

0101 

0200 

0200 

0228 

0000 

0028 

0000 

0000 

FF845E 

0002 

0100 

8000 

0000 

0003 

0016 

34A6 

0000 

FF846E 

0000 

0000 

0000 

0000 

0000 

0090 

0090 

0000 

FF847E 

0007 

B9B2 

0019 

C76E 

0024 

E334 

0000 

0000 

FF848E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF849E 

0000 

0000 

0000 

0002 

0010 

0000 

0000 

0000 

FF84AE 

0000 

0000 

0000 

0000 

0000 

0000 

001B 

0035 

FF84BE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84CE 

0246 

0000 

0000 

0000 

023C 

0000 

0000 

0000 

FF84DE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84EE 

0000 

0040 

0000 

0000 

0000 

0000 

0000 

0000 

FF84FE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF850E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF851E 

0000 

0000 

0246 

0246 

0000 

0000 

0002 

3E00 

FF852E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF853E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF854E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF855E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF856E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF857E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF858E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF859E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF85AE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 


program space memory 

(...(.. 

4. 

.n.S.4. 


i • # # 



Debug: ssf2xj - M68000 ':maincpu' 





cycles 

706 

00196E 

move.w 

($4e,A5), S804166.1 

33ED 

004E 

0080 

4166 

beamx 

33 

001976 

move.w 

#$20, D0 

303C 

0020 


1 

beamy 

240 

00197A 

bra 

S1928 

60AC 




frame 

16278 

00197C 

tst. b 

($61ca,A5) 

4A2D 

61CA 



flags 

..S...I. 

001980 

bne 

S19b4 

6632 









($38c,A5) 

4A2D 

038C 











pc 

00197C 

001986 

bne 

S199a 

6612 





SP 

FFFFFFEA 

001988 

move.w 

($2c4,A5), S8040e0.l 

33ED 

02C4 

0080 

40E0 


1 ISP 

FFFFFFEA 

001990 

clr.b 

($2c8,A5) 

422D 

02C8 




USP 

00FF058C 

001994 

move.b 

#$1, ($38d,A5) 

1B7C 

0001 

038D 



ISP 

FFFFFFEA 

00199A 

movem.l 

D0-D7/A0-A6, — ( A7 ) 

48E7 

FFFE 




00 

00000001 

00199E 

bsr 

Sla6c 

6100 

00CC 




01 

00000004 

0019A2 

jsr 

Sl0efc.1 

4EB9 

0001 

0EFC 



D2 

E0000034 

0019A8 

jsr 

Sl0efc.l 

4EB9 

0001 

0EFC 



D3 

00000000 

M19AE 

movem.l 

(A7)+, D0-D7/A0-A6 

4CDF 

7FFF 




04 

00000076 

0019B2 

rte 


4E73 





05 

E0B80008 

0019B4 

tst. b 

($364,A5) 

4A2D 

0364 




06 

00000168 

0019B8 

bne 

Sl9cc 

6612 





D7 

0000FFFF 

0019BA 

move.w 

($2c4,A5), $8040e0.1 

33ED 

02C4 

0080 

40E0 


A0 

FFFF00C0 

0019C2 

clr. b 

($2c8,A5) 

422D 

02C8 




A1 

00FF058C 








A2 

0005ADBC 








A3 

FFFF0A10 

Cheat Commands 






| A4 

A5 

00FF0410 

FFFF8000 

Type help <command> for further details on each command 





A6 

FFFFE1CA 

cheatinit [<address>,<length>[,<cpu>]] — initialize the 

cheat 

search to 

the 

A7 

FFFFFFEA 

selected 

memory area 





PREF ADOR 
| PREF DATA 

000A12 

00004E69 

cheat range <address>,<length> — add to the cheat search 
area 

the selected memory 


m 


cheatnext <condition>( l <coirparisonvalue>] — continue cheat search comparing 
with the last value 

cheatnextf <condition>[,<comparisonvalue>] — continue cheat search comparing 
with the first value 

cheatlist [<filename>] — show the list of cheat search matches or save them 
to <filename> 

cheatundo — undo the last cheat search (state only) 























































































































SSF2X: MAME Debugger Demo (1) 


MAME: Super Street Fighter II X: Grand Master Challenge (Japan 940223) [ssf2xj] 


-jOOUU 


h***'*] 






Mtsd 


yi 


Memory: M68000 ' 


v FF844E 


naincpu program space memor 

'rmaincpu 


M68000 


FF844E 

0101 

0200 

0200 

0228 

0000 

0028 

0000 

0000 

FF845E 

0002 

0100 

8000 

0000 

0003 

0016 

34A6 

0000 

FF846E 

0000 

0000 

0000 

0000 

0000 

0090 

0090 

0000 

FF847E 

0007 

B9B2 

0019 

C76E 

0024 

E334 

0000 

0000 

FF848E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF849E 

0000 

0000 

0000 

0002 

0010 

0000 

0000 

0000 

FF84AE 

0000 

0000 

0000 

0000 

0000 

0000 

001B 

0035 

FF84BE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84CE 

0246 

0000 

0000 

0000 

023C 

0000 

0000 

0000 

FF84DE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84EE 

0000 

0040 

0000 

0000 

0000 

0000 

0000 

0000 

FF84FE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF850E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF851E 

0000 

0000 

0246 

0246 

0000 

0000 

0002 

3E00 

FF852E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF853E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF854E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF855E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF856E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF857E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF858E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF859E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF85AE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 


program space memory 

(...(.. 

4. 

.n.S.4. 


i • # # 



Debug: ssf2xj - M68000 ':maincpu' 





cycles 

706 

00196E 

move.w 

($4e,A5), S804166.1 

33ED 

004E 

0080 

4166 

beamx 

33 

001976 

move.w 

#$20, D0 

303C 

0020 


1 

beamy 

240 

00197A 

bra 

S1928 

60AC 




frame 

16278 

00197C 

tst. b 

($61ca,A5) 

4A2D 

61CA 



flags 

..S...I. 

001980 

bne 

S19b4 

6632 









($38c,A5) 

4A2D 

038C 











pc 

00197C 

001986 

bne 

S199a 

6612 





SP 

FFFFFFEA 

001988 

move.w 

($2c4,A5), S8040e0.l 

33ED 

02C4 

0080 

40E0 


1 ISP 

FFFFFFEA 

001990 

clr.b 

($2c8,A5) 

422D 

02C8 




USP 

00FF058C 

001994 

move.b 

#$1, ($38d,A5) 

1B7C 

0001 

038D 



ISP 

FFFFFFEA 

00199A 

movem.l 

D0-D7/A0-A6, — ( A7 ) 

48E7 

FFFE 




00 

00000001 

00199E 

bsr 

Sla6c 

6100 

00CC 




01 

00000004 

0019A2 

jsr 

Sl0efc.1 

4EB9 

0001 

0EFC 



D2 

E0000034 

0019A8 

jsr 

Sl0efc.l 

4EB9 

0001 

0EFC 



D3 

00000000 

M19AE 

movem.l 

(A7)+, D0-D7/A0-A6 

4CDF 

7FFF 




04 

00000076 

0019B2 

rte 


4E73 





05 

E0B80008 

0019B4 

tst. b 

($364,A5) 

4A2D 

0364 




06 

00000168 

0019B8 

bne 

Sl9cc 

6612 





D7 

0000FFFF 

0019BA 

move.w 

($2c4,A5), $8040e0.1 

33ED 

02C4 

0080 

40E0 


A0 

FFFF00C0 

0019C2 

clr. b 

($2c8,A5) 

422D 

02C8 




A1 

00FF058C 








A2 

0005ADBC 








A3 

FFFF0A10 

Cheat Commands 






| A4 

A5 

00FF0410 

FFFF8000 

Type help <command> for further details on each command 





A6 

FFFFE1CA 

cheatinit [<address>,<length>[,<cpu>]] — initialize the 

cheat 

search to 

the 

A7 

FFFFFFEA 

selected 

memory area 





PREF ADOR 
| PREF DATA 

000A12 

00004E69 

cheat range <address>,<length> — add to the cheat search 
area 

the selected memory 


m 


cheatnext <condition>( l <coirparisonvalue>] — continue cheat search comparing 
with the last value 

cheatnextf <condition>[,<comparisonvalue>] — continue cheat search comparing 
with the first value 

cheatlist [<filename>] — show the list of cheat search matches or save them 
to <filename> 

cheatundo — undo the last cheat search (state only) 























































































































SSF2X: MAME Debugger Demo (2) 


Debug; ssf2xj - M68000 ’;maincpu' 


cycles 708 
beamx 31 
beamy 240 
frame 163( 
flags ..S.. 


00197C 

FFFFFFFA 

FFFFFFFA 

00FF058C 

FFFFFFFA 

0000000C 

00000000 

00000034 

0000FFFF 

00000000 

00000000 

0000019A 

0000FFFF 

FFFF0060 

00FF058C 

0002F5D0 

00102234 

FFFF9362 

FFFF8000 

FFFFE1CA 

FFFFFFFA 

000258 

00004A2D 


00196E 

001976 

00197A 

00197C 

001980 

001982 

001986 

001988 

001990 

001994 

00199A 

00199E 

0019A2 

0019A8 

0019AE 

0019B2 

0019B4 

0019B8 

0019BA 

0019C2 


move.w ($4e,A5), S804166.1 
move.w #$20, D0 
bra S1928 


tst.b ($61ca,A5) 


bne S19b4 

tst.b ($38c,A5) 
bne S199a 

move.w ($2c4,A5), S8040e0.l 

clr.b ($2c8,A5) 

move.b #$1, ($38d,A5) 

movem.l O0-D7/A0-A6, -(A7) 

bsr Sla6c 

jsr S10efc.l 

jsr S10efc.l 

movem.l (A7)+, D0-D7/A0-A6 

rte 

tst.b ($364,A5) 
bne S19cc 

move.w ($2c4,A5), $8040e0.l 
clr.b ($2c8,A5) 


33ED 

303C 

60AC 

4A2D 

6632 

4A2D 

6612 

33ED 

422D 

1B7C 

48E7 

6100 

4EB9 

4EB9 

4CDF 

4E73 

4A2D 

6612 

33ED 

422D 


004E 0080 4166 
0020 


02C4 0080 40E0 
02C8 

0001 038D 

FFFE 

00CC 

0001 0EFC 
0001 0EFC 
7FFF 

0364 

02C4 0080 40E0 
02C8 



area 

cheatnext <condition>[,<comparisonvalue>] — continue cheat search comparing 
with the last value 

cheatnextf <condition>[,<comparisonvalue>] — continue cheat search comparing 
with the first value 

cheatlist [<filename>] — show the list of cheat search matches or save them 
to <filename> 

cheatundo — undo the last cheat search (state only) 

>cheatinit 

81940 cheat initialized for CPU index 0 ( aka rmaincpu ) 

>go 

>cheatnext -,1 

Address=FF8467 Start=03 Current=02 
Address=FF8867 Start=03 Current=02 
Address=FF8DCE Start=34 Current=33 
Address=FFD2FB Start=07 Current=06 


search for all bytes that have decreased by 
one since we did the cheatinit command 





















SSF2X: MAME Cheats (1) 


<cheat desc=" Infinite Time"> 

<script state="run"> 

<action>maincpu.pb@FF8DCE=99</action> 

</script> 

</cheat> 

1. maincpu: This is the tag of the CPU whose memory you want 
to poke, maincpu is in 99% of cases the tag you will need 




SSF2X: MAME Cheats (2) 


<cheat desc=" Infinite Time"> 

<script state="run"> 

<action>maincpu.pb@FF8DCE=99</action> 

</script> 

</cheat> 

2. p : memory space that needs to be poked, there are 7 possibilities: 
p = program write (most RAM cheats need this) 
m = region write (most ROM cheats use this) 
r = RAM write 

o = Opcode Write (often used for encrypted memory) 
d = data write 
i = i/o write 
3 = SPACE3 write 




SSF2X: MAME Cheats (3) 


<cheat desc=" Infinite Time"> 

<script state="run"> 

<action>maincpu.pb@FF8DCE=99</action> 

</script> 

</cheat> 

3. b : memory size of what's being poked, there are 4 possibilities: 
b (byte) 

w (word=2 bytes) 
d (doubleword=4 bytes) 
q (quadword=8 bytes) 




SSF2X: MAME Cheats (4) 


<cheat desc="Infinite Energy P1"> 

<script state="run"> 

<action>maincpu.pw@FF8478=90</action> 

</script> 

</cheat> 

• More examples: https://github.com/poliva/ssf2xj 




SSF2X: Debugger Watchpoints (1) 


MAME: Super Street Fighter il X: Grand Master Challenge (Japan 940223) [ssf2xj] 


Memory: M68000 



m 




mm 



SP 


- 


% 


‘ r 





. . 


—r T -V * 


progr 


i space memory 


ff844e 

M68000 ':maincpu' 

FF844E 

0101 

0200 

0200 

0228 

0000 

0028 

0000 

0000 

FF845E 

0002 

0100 

0000 

0000 

0004 

0011 

2202 

0000 

FF846E 

0000 

0000 

0000 

0000 

0000 

0090 

0090 

0000 

FF847E 

0007 

B912 

0019 

8832 

0024 

E1F4 

0000 

0000 

FF848E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF849E 

0000 

0000 

0000 

0002 

0010 

0000 

0000 

0000 

FF84AE 

0050 

0000 

0000 

0000 

0000 

0000 

001D 

0035 

FF84BE 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84CE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84DE 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84EE 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84FE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF850E 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF851E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF852E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF853E 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF854E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF855E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF856E 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF857E 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF858E 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 


Debug: ssf2xj 










. 2. S. 


0C6BD6 

beq 

Sc6bca 


67F2 


0C6BD8 

lea 

(-$5e72,A5) 

, A1 

43ED 

A18E 

0C6BDC 

bra 

Sc6e6a 


6000 

028C 

0C6BE0 

move.b 

($154d,A5), 

(S1557,A5) 

1B6D 

154D 

0C6BE6 

move.w 

($1582,A5), 

(S1592,A5) 

3B6D 

1582 

0C6BEC 

move.b 

($154d,A5), 

D0 

102D 

154D 

0C6BF0 

beq 

Sc6c06 


6714 


0C6BF2 

movea.w 

($1582,A5 ), 

A4 

3B6D 

1582 

0C6BF6 

movea.w 

(A4)+, A1 


325C 


0C6BF8 

bsr 

Sc6e6a 


6100 

0270 

0C6BFC 

subq.b 

#1, (S154d, 

A5) 

532D 

154D 

0C6C00 

bne 

Sc6bf6 


66F4 


0C6C02 

move.w 

A4, (S1582,A5) 

3B4C 

1582 

0C6C06 

rts 



4E75 


0C6C08 

move.b 

($154e,A5 ), 

(S1558,A5) 

1B6D 

154E 

0C6C0E 

move.w 

($1584,A5), 

(S1594,A5) 

3B6D 

1584 

0C6C14 

move.b 

($154e,A5), 

D0 

102D 

154E 

0C6C18 

beq 

Sc6c2e 


6714 


0C6C1A 

movea.w 

($1584,A5) r 

A4 

386D 

1584 

0C6C1E 

movea.w 

(A4)+, A1 


325C 



sets program 
- sets data 


Watchpoint Commands 

Type help <command> for further details on each command 

wp[set] <address>,<length>,<type>[,<condition>[,<action>]] - 
space watchpoint 

wpd[set] <address>,<length> f <type>[,<condition>[,<action>]] 
space watchpoint 

wpi[set] <address>,<length>,<type>[,<condition>[,<action>]] — sets I/O space 
watchpoint 

wpclear [<wpnum>] — clears a given watchpoint or all if no <wpnum> specified 
wpdisable [<wpnum>] — disables given watchpoint or all if no <wpnum> 
specified ^ 

wpenable [<wpnum>] — enables a given watchpoint or all if no <wpnum> 
specified 

wplist — lists all the watchpoints 

hotspot [<cpu>,[<depth>[,<hits>]]] — attempt to find hotspots 


wpset 0xFF8B78,1,w, 1, {printf "P2 Write @ %X=%X with PC=%X", wpaddr, pw(aFF8878, PC; go> 



































































































































































SSF2X: Debugger Watchpoints (1) 


MAME: Super Street Fighter il X: Grand Master Challenge (Japan 940223) [ssf2xj] 


Memory: M68000 



m 




mm 



SP 


- 


% 


‘ r 





. . 


—r T -V * 


progr 


i space memory 


ff844e 

M68000 ':maincpu' 

FF844E 

0101 

0200 

0200 

0228 

0000 

0028 

0000 

0000 

FF845E 

0002 

0100 

0000 

0000 

0004 

0011 

2202 

0000 

FF846E 

0000 

0000 

0000 

0000 

0000 

0090 

0090 

0000 

FF847E 

0007 

B912 

0019 

8832 

0024 

E1F4 

0000 

0000 

FF848E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF849E 

0000 

0000 

0000 

0002 

0010 

0000 

0000 

0000 

FF84AE 

0050 

0000 

0000 

0000 

0000 

0000 

001D 

0035 

FF84BE 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84CE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84DE 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84EE 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF84FE 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF850E 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF851E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF852E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF853E 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF854E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF855E 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF856E 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF857E 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 

FF858E 

0030 

0000 

0000 

0000 

0000 

0000 

0000 

0000 


Debug: ssf2xj 










. 2. S. 


0C6BD6 

beq 

Sc6bca 


67F2 


0C6BD8 

lea 

(-$5e72,A5) 

, A1 

43ED 

A18E 

0C6BDC 

bra 

Sc6e6a 


6000 

028C 

0C6BE0 

move.b 

($154d,A5), 

(S1557,A5) 

1B6D 

154D 

0C6BE6 

move.w 

($1582,A5), 

(S1592,A5) 

3B6D 

1582 

0C6BEC 

move.b 

($154d,A5), 

D0 

102D 

154D 

0C6BF0 

beq 

Sc6c06 


6714 


0C6BF2 

movea.w 

($1582,A5 ), 

A4 

3B6D 

1582 

0C6BF6 

movea.w 

(A4)+, A1 


325C 


0C6BF8 

bsr 

Sc6e6a 


6100 

0270 

0C6BFC 

subq.b 

#1, (S154d, 

A5) 

532D 

154D 

0C6C00 

bne 

Sc6bf6 


66F4 


0C6C02 

move.w 

A4, (S1582,A5) 

3B4C 

1582 

0C6C06 

rts 



4E75 


0C6C08 

move.b 

($154e,A5 ), 

(S1558,A5) 

1B6D 

154E 

0C6C0E 

move.w 

($1584,A5), 

(S1594,A5) 

3B6D 

1584 

0C6C14 

move.b 

($154e,A5), 

D0 

102D 

154E 

0C6C18 

beq 

Sc6c2e 


6714 


0C6C1A 

movea.w 

($1584,A5) r 

A4 

386D 

1584 

0C6C1E 

movea.w 

(A4)+, A1 


325C 



sets program 
- sets data 


Watchpoint Commands 

Type help <command> for further details on each command 

wp[set] <address>,<length>,<type>[,<condition>[,<action>]] - 
space watchpoint 

wpd[set] <address>,<length> f <type>[,<condition>[,<action>]] 
space watchpoint 

wpi[set] <address>,<length>,<type>[,<condition>[,<action>]] — sets I/O space 
watchpoint 

wpclear [<wpnum>] — clears a given watchpoint or all if no <wpnum> specified 
wpdisable [<wpnum>] — disables given watchpoint or all if no <wpnum> 
specified ^ 

wpenable [<wpnum>] — enables a given watchpoint or all if no <wpnum> 
specified 

wplist — lists all the watchpoints 

hotspot [<cpu>,[<depth>[,<hits>]]] — attempt to find hotspots 


wpset 0xFF8B78,1,w, 1, {printf "P2 Write @ %X=%X with PC=%X", wpaddr, pw(aFF8878, PC; go> 



































































































































































SSF2X: Debugger Watchpoints (2) 


Debug: ssf2xj - M68000 ':maincpu' 


cycles 

beamx 

beany 

frame 

flags 

750 

3 

241 

9440 

. .S.. .1_X_ 


PC 

001B7C 

SP 

FFFFFFBA 

ISP 

FFFFFFBA 

USP 

00FF058C 

ISP 

FFFFFFBA 

00 

FFFF003F 

D1 

0000807D 

D2 

00000000 

03 

00000000 

04 

00000000 

D5 

00000000 

D6 

0000019F 

D7 

00000000 

A0 

FFFF0200 

A1 

00FF058C 

A2 

0002F5D0 

A3 

00102234 

A4 

FFFF9362 

A5 

FFFF8000 

A6 

FFFFE1CA 

A7 

FFFFFFBA 

PREF ADDR 

001B7C 

PREF DATA 

00001020 



001B64 

001B6C 

001B74 

001B7C 

001B80 

001B82 

001B84 

001B88 

001B8C 

001B8E 

001B92 

001B96 

001B9A 

001B9C 

001BA2 

001BA6 

001BA8 

001BAC 

001BBA 

001BBA 


move.w 

move.w 

move.w 

inove.b 

move.b 

Isl.b 

andi.w 

andi.w 

or.w 

or.w 

or.w 

tst. b 

bne 

move.w 
move.I 
Isr. I 
move.I 
move.w 
move.w 
not.w 


($4e,A5), S804166.t 
($54,A5), S400004.I 
($56,A5), S400006.I 
($2e7,A5), D0 
00 , 01 
#2, D1 
#$30, D1 
#$3, D0 
01, D0 

($34c,A5), D0 
($34e,A5), D0 
($354,A5) 

Slba2 

00, $804040.1 
($7e,A5), D0 
#8, D0 
D0, (S7e,A5) 

5804030.1, ($350,A5) 

5804020.1, 00 
00 


33ED 

33ED 

33ED 

102D 

1200 

E509 

0241 

0240 

8041 

8060 

8060 

4A2D 

6606 

33C0 

202D 

E088 

2B40 

3B79 

3039 

4640 


004E 0080 4166 
0054 0040 0004 
0056 0040 0006 
02E7 


0030 

0003 

034C 

034E 

0354 

0080 4040 
007E 

007E 

0080 4030 0350 
0080 4020 


wplist — lists all the watchpoints 

hotspot [<cpu>,[<depth>[,<hits>]]] — attempt to find hotspots 
>wpset 0xFF8878,l,w,l,{printf "P2 Write @ %X=*X with PC=%X", wpaddr, pw@FF8878, 


go} 


Watchpoint 
P2 Write (a 

5 set 
FF8878=90 

with 

PC=BE64A 

P2 

Write 

0 

FF8878=8A 

with 

PC=7AD0C 

P2 

Write 

0 

FF8878=8A 

with 

PC=BE64A 

P2 

Write 

0 

FF8878=81 

with 

PC=7AD0C 

P2 

Write 

0 

FF8878=81 

with 

PC=BE64A 

P2 

Write 

0 

FF8878=75 

with 

PC=7AD0C 

P2 

Write 

0 

FF8878=75 

with 

PC=BE64A 

P2 

Write 

0 

FF8878=5F 

with 

PC=7AD0C 

P2 

Write 

0 

FF8878=5F 

with 

PC=7AB3C 

P2 

Write 

0 

FF8878=3F 

with 

PC=BE64A 

P2 

Write 

3 

FF8878=3B 

with 

PC=7AD0C 

P2 

Write 

S 

FF8878=3B 

with 

PC=BE64A 


wpset <address>,<length>,<type>[,<condition>[,<action>]] 


wpset 0xFF8878,1 ,w,1 ,{printf "P2 Write @ %X=%X with PC=%X", wpaddr, pw@FF8878, PC; go} 






















SSF2X: Patching m68k for dummies (1) 


• NOP = 0x4e71 

• BEQ = 0x67XXYYYYZZZZ where XXYYYYZZZZ indicates 
how far we will jump forward if the previous comparison 
instruction (usually a TST) was found to be equal. 

• BNE = 0x66XXYYYYZZZZ where XXYYYYZZZZ indicates 
how far we will jump forward if the previous comparison 
instruction (usually a TST) was not equal. 


• So if we need to invert the logic we can change the BEQ for 
BNE by swapping a 67 for a 66 on the first byte of the 
opcode. 

• If we want to always force a certain code path we can just 
NOP the branch instruction 



SSF2X: Patching m68k for dummies (2) 


[0x00068f38J 

pD 

0X0O068f38 

0998 

bclr d4,(a0)+ 


0x00068f3a 

4a2d02e6 

tst.b 0x2e6(a5) 

,=< 

OxO0O68f3e 

661a 

bne.b 0x68f5a 

i 

0X00068f40 

4a2d0349 

tst.b 0x349(a5) 

,==< 

0X0O068f44 

6614 

bne.b 0x68f5a 

11 

0X0O068f46 

41ed07dc 

lea Ox7dc(a5),aO 

11 

0x00O68f4a 

4a2eO021 

tst.b 0x21(a6) 

,===< 

OxO0O68f4e 

6704 

beq.b 0x68f54 

in 

0x0O068f50 

41ed0bdc 

lea 0xbdc(a5),a0 

% 

-> 

0x0O068f54 

4a280OOO 

0(a0) 

= = = = < 

|OxOO068f 58 

671a 

beq.b 0x68f 741^ ' !l 

i *•-> 

OxO0O68f5a 

102C0291 

0x29l(a4) ,d0 

,-< 

0x00068f5e 

6714 

beq.b 0x68f74 

11 

0X00068f60 

542e0002 

addq.b #0x2,0x2(a6) 

11 

0X00068f64 

Id7c0078001e 

#0x78,0xle(a6) 

11 

0x00068f6a 

2d6eO080OO06 

^ . 1 0x80(a6) ,0x6(a6) 

11 

0X00068f70 

60000038 

bra.w 0x68faa 

% % 

- > 

0X0O068f74 

4e75 



0X00068f76 

532e0Ole 

subq.b #0xl,0xle(a6) 


0x00068f7a 

6728 

beq.b 0x68fa4 


0x00068f7c 

1O2C0291 

0x291(a4) ,d0 

,-< 

0x00068f8O 

6710 

beq.b 0x68f92 

i 

0X00068f82 

ld7c00780Ole 

?.b #0x78,0xle(a6) 

i 

0X00068f88 

2d6e00800G06 

?.l 0x80 (a6) ,0x6(a6) 

i 

0x00068f8e 

6100001a 

bsr.w 0x68faa 

% 

- > 

0X00068f92 

2O2eO084 

».l 0x84(a6),d0 


0X00068f96 

9Oae0006 

sub.l 0x6(a6),d0 









CPS2 Encrypt / Decrypt state of the art 


To my knowledge, the only tool that allows to decrypt & 
encrypt CPS2 ROMs for rom hacking purposes is 
X.C.O.RY. 

Released by 'yumeji' in 2007, but website no longer 
available (geocities.jp). 

Need to dig on shady forums to find a working copy 


AX.C.0.P.T. 


System 
-v CPS2 

r CPS3 


Romset 


Offset: Filename 


Operation 
(* Decrypt 

Encrypt 


|pfghtj 

Key 1 

2 ] | $000000 : pcfj.03 

Key 2 

Upper Limit 

|$97D2EBC0 

|$308F94D7 

O 

O 

O 

O 

CO 

O 

i 

Encrypted File 



| D:¥down loads¥xcopy20080708¥pf ght j¥pcf j.03 

Decrypted File 


OK 





























CPS2 Encrypt / Decrypt state of the art 


To my knowledge, the only tool that allows to A 
encrypt CPS2 ROMs for rom hacking purpQ 

X.C.O.P.Y. Until Now :P 


i n 


f 




Released by 'yumeji' in 2007, but website n 
available (geocities.jp). 

Need to dig on shady forums to find a working copy 


X.C.O.P.Y. 



J 


System 
-v CPS2 

r CPS3 


Operation 
(* Decrypt 

Encrypt 


Romset 
fpfghtj 

Key 1 

j$97D2EBC0 

Encrypted File 


Offset: Filename 
- | $000000 T pcfj.03 

'il ly 2 

|$308F94D7 


Upper Limit 


|$080000 


| D:¥down Ioads¥xcopy20080708¥pf ght j¥pcf j.03 


Decrypted File 


| D:¥down loads¥xcopy20080708¥pf ght j¥pcf j.dec 

Q 


[.:°l: .j| 




































Support CPS2 crypto in radare2 


• Take the CPS2 decryption algorithm from MAME 


• MAME: src/mame/machine/cps2crypt.cpp 


• Add it to rahash2 


• r2: libr/crypto/p/crypto_cps2.c 


• Invert the feistel to also support encryption 


// de/en-crypt the opcodes 

for (a ■ i; a < length/2 && a < upper_limit/2; a +- 0x10000) { 
if (crypt.direction) { 

/• decrypt V 

dec[a] ■ feistel (rom[a], fn2_groupA, fn2_groupB, 

&sboxes2[0*4], &sboxes2[l*4), &sboxes2[2*4], &sboxes2[3*4], 
key2[0], key2[l], key2[2], key2[3]); 

dec[a] » r_read_bel6 (&dec[a])j 

} else { 

/• encrypt •/ 

dec [a] - r_read_bel6 (&rom(V]); 

dec[a] - feistel (dec[a]» fn2_groupA, fn2_groupB, 

&sboxes2[3*4], &sboxes2[2*4], &sboxes2[l*4], &sboxes2[0*4], 
key2[3], key2[2], key2[l], key2[0]); 

} 

> 


Finally write test cases for radare2-regressions ;) 







Decrypt, patch, encrypt a ROM (1) 


MAME: Super Street Fighter II X: Grand Master Challenge (Japan 940223) [ssf2xj] 



I 


PC 00FE92 
SP 00FF0484 
ISP FFFFFFF6 
USP 00FF0484 


D0 00000068 





D3 0000FFFF 
D4 00000030 
D5 00000000 
D6 000001AB 
D7 00000000 
A0 00708D60 
A1 FFFF82C0 
A2 0002F586 
A3 0010229C 
A4 FFFF9362 
A5 FFFF8000 
A6 FFFF0080 
A7 00FF0484 
PREF_ADDR 00FE92 
PREF DATA 0000526D 


move.b D0, ($dce,A5) 

addq.w #1, ($df0,A5) 
jmp $6840.w 


00FE9E 

00FEA4 

00FEAA 

00FEAE 

00FEB2 

00FEB6 

00FEBA 

00FEBE 

00FEC4 

00FECA 

00FECE 

00FED2 

00FED6 

00FED8 

00FEDC 

00FEE2 

00FEE6 

00FEEA 

00FEEC 

00FEF0 

00FEF2 

00FEF8 

00FEFE 

00FF02 


move.b 

move.b 

jmp 

move.b 


jmp 

ori.b 

ori. b 

move.b 

move.w 

bra 

subq.b 
bne 

addq.b 

move.b 

move.w 

bra 

rts 

subq.b 
bne 

move.b 

move.b 


#$1, ($2fl # A5) 
#$1, ($dd5,A5) 
$6816.w 
($de8,A5), D0 
($6,PC,D0.w), D1 
($2,PC,Dl.w) 
#$18, D6 

#$2d, INVALID 32 
#$4, ($de9,A5) 
#$d, D3 
$ff02 

#1, ($de9,A5) 
$feea 

#2, ($de8,A5) 
#$2, ($de9,A5) 
#$e, D3 
$ff02 


0DCE 

0DF0 

6840 

0DCE 

0001 02F1 
0001 0DD5 
6816 
0DE8 
0006 
1002 
0018 

542D 0DE8 
0004 0DE9 
000D 
0032 
0DE9 


0DE8 

0002 0DE9 

000E 

001A 


#1, ($de9,A5) 
$feea 

#$2, ($de8,A5) 
#$4, ($de9,A5) 
#$d, D3 
$709020.1, A0 


0002 0DE8 
0004 0DE9 
000D 

0070 9020 


n-3 t&a. i\rx\ 


>bpset 0xfe8e 
Breakpoint 1 set 
>go 

Stopped at breakpoint 1 
>go 

Stopped at breakpoint 1 
>go 

Stopped at breakpoint 1 
>go _ 


[0xfe7a] 

move.b 0x28, 0xdcf(a5) 
moveq 0x1, dl 
move.b 0xdce(a5), d0 
andi.b -0x11, ccr 
sbcd dl, d0 
bcs.b 0xfe9a ;[g] 


I 0xfe 
I rts 


>) 

c2fl(a5) 
<dd5(a5) 
516 ; [h] 


I 0xfe8e 

I move.b d0, 0xdce(a5) 
I addq.w 0x1, 0xdf0(a5 

I jmp 0x6840.w ;[i] 































































































































Decrypt, patch, encrypt a ROM (2) 


[0x00000000]> b 25 
[0x00000000]> pD @0xfe8e 

I 0x0000fe8e 

lb400dce 

move.b d0, 0xdce(a5) 


1 0x0000fe92 

526d0df0 

addq.w 0x1, 0xdf0(a5) 


■—< 0x0000fe96 

4ef86840 

jmp 0x6840.w 

; jump 

0x0000fe9a 

426d0dce 

clr.w 0xdce(a5) 


0x0000fe9e 

Ib7c000102fl 

move.b 0x1, 0x2fl(a5) 


0x0000fea4 Ib7c00 

[0x00000000]> wx 4e714e71@0xfe8e 

move.b 0, 0(a5) 


[0x00000000]> pD @0xfe8e 

I 0x0000fe8e 

4e71 

nop 

; no operation 

1 0x0000fe90 

4e71 

nop 

; no operation 

1 0x0000fe92 

526d0df0 

addq.w 0x1, 0xdf0(a5) 


■—< 0x0000fe96 

4ef86840 

jmp 0x6840.w 

; jump 

0x0000fe9a 

426d0dce 

clr.w 0xdce(a5) 


0x0000fe9e 

Ib7c000102fl 

move.b 0x1, 0x2fl(a5) 


0x0000fea4 

Ib7c00 

move.b 0, 0(a5) 


[0X00000000]> I 


• $ rahash2 -D cps2 -S "0x942a5702 0x05acl40e" sfxj.03c > d_sfxj.03c 

• $ r2 -qwn -c "wx 4e714e71@0xfe8e" d_sfxj.03c # infinite time 

• $ rahash2 -E cps2 -S "0x942a5702 0x05acl40e" d_sfxj.03c > sfxj.03c 





DEMOS 


• DEMO 1 

• Infinite time: wx 4e714e71 @ 0xfe8e 

• DEMO 2 

• Jedpossum Training Mode: 

• $ rahash2 -D cps2 -S "0x942a5702 0x05acl40e" sfxj.03c > d_sfxj.03c 

• $ rahash2 -D cps2 -S "0x942a5702 0x05acl40e" sfxj.04a > d_sfxj.04a 

• $ r2 -qwn d_sfxj.03c < patch_03c.txt 

• $ r2 -qwn d_sfxj.04a < patch_04a.txt 

• $ rahash2 -E cps2 -S "0x942a5702 0x05acl40e" d_sfxj.03c > sfxj.03c 

• $ rahash2 -E cps2 -S "0x942a5702 0x05acl40e" d_sfxj.04a > sfxj.04a 






Future work 


• Fix hardcoded UPPERJJMIT 
value: currently set to 0x400000 


• Support CPS3 encryption: I 
really haven't looked into it yet 




Questions? 













































































THANK YOU 



Bibliography 


• http://en.wikipedia.org/wiki/CP System II 

• http://cps2shock.emu-france.info/ 

• http://forums.shorvuken.com/discussion/169Q77/hackina- 
the-st-rom/pl 

• http://www.mamecheat.co.uk/forums/viewtopic.php? 
p=13271#p13271 

• http://andreasnaive.bloaspot.com.es/ 

2006 12 01 archive.html 

• http://andreasnaive.bloaspot.com.es/ 

2007 01 01 archive.html 

• http://pof.eslack.org/2014/04/22/ssf2t-the-quest-for-the- 
perfect-trainina-mode/ 



